Paranoid Penguin - Secure Anonymous FTP with vsftpd

To keep your FTP site secure, stick to anonymous access only and run an FTP dæmon with minimal complexity.

Virtual Servers

If you want to have multiple virtual FTP servers residing on the same
physical host, one with multiple IP addresses,
vsftpd can do this easily. All you need to do is run multiple instances of the
vsftpd dæmon, each with its own vsftpd.conf file specifying on which IP
address to listen and which directory to use as its anonymous root.

For example, suppose I've got two IP addresses assigned to my machine,
1.2.3.4 and 1.2.3.5, registered in DNS to the names knusper and rover,
respectively. In that case, I could have two configuration files for
vsftpd, say, /etc/vsftpd.knusper and /etc/vsftpd.rover. Listings 2 and
3 show these files.

Notice my possibly foolish use of the local_enable parameter in
Listing 3. It's dangerous to set this to YES, because FTP logon credentials are
sent in clear text. You never want to expose real system credentials
to eavesdropping, especially if your server is Internet-connected.
The real reason I show it here is to illustrate that because each virtual
server uses its own configuration file, you can specify completely
different behaviors for each. One virtual server may have a public
uploads directory that anonymous users write to, whereas another
may be a strictly read-only FTP site. Conversely, you need to take care
that settings you consider to be important in preserving overall system
security are set consistently between different virtual servers running
on the same machine.

Besides creating different configuration files for each virtual FTP
server you want vsftpd to serve up, you also need to alter your startup
script accordingly. The startup script on my sample server, represented
by Listings 2 and 3, would need something equivalent to these two lines:

vsftpd /etc/vsftpd.knusper
vsftpd /etc/vsftpd.rover

If you run Red Hat or Fedora, this already has been taken care of for
you. The /etc/init.d/vsftpd script included with those distributions'
vsftpd RPM packages automatically parses the directory /etc/vsftpd for
as many configuration files as you care to put there, so long as the
filename of each ends with .conf. This strikes me as an excellent bit of
foresight on the part of the Red Hat team.

That's all you need to know about setting up a simple and secure anonymous
FTP server with vsftpd. As I mentioned, I've only covered a subset
of what vsftpd is capable of doing. Despite its minimalist design
philosophy, this is a powerful FTP server indeed. Fortunately, it's
also well documented, so it's really no cop-out for me to refer
you to the vsftpd.conf(5) man page and the EXAMPLE/ directory for
information on the many other uses of vsftpd.

Mick Bauer, CISSP, is Linux Journal's security
editor
and an IS security
consultant in Minneapolis, Minnesota. He's the author of
Building
Secure
Servers With Linux (O'Reilly & Associates, 2002).

Comment viewing options

I would like to setup a site where people can just click the installer that they want to download the automatically the prompt asking to open or save the file will appear.(no need for any username or email address) The installers are located in a linux server. I have already installed vsftpd the problem is I don't know how to configure my ftp to this setup.

Is it possible to have uploaded files have ownership set to the name of the user that uploaded them? For example, if user 'user1' uploads a file, the owner should be 'user1' instead of 'ftp' (the default). Additionally, if 'user2' logs in (and is placed in a different root directory - which I have working fine), the owner of files should be 'user2'. Is this easily possible (and within one vsftpd.conf)? Thank you.

1. Very good and detailed article about secure ftp
2. Problems:
When I tried to start "vsftpd &" on Redhat 4, I got the following error:
"./vsftpd: error while loading shared libraries: libssl.so.6: cannot open shared object file: No such file or directory"

Thanks Mick ,
It is a very nice article. I think it will help many in configuring
vsftpd in the correct way.
My query is regarding how to configure the server so that my server
support privileged ports. I have enabled the option

Yes you can, but with a separate package not related to vsftpd but to Linux. Check Red Hat for info. It is similar for all Linux versions.
It is not difficult but a bit laborious for the first setup. After that it's transparent.

hi i have established a vsftp server on my fedora core 3 m/c. now i want to have restriction on the ips that access my server. How could i set permission and access rights based on the ips of the systems.

I have everything working fine except when anonymous writes a file it always gets the permissions 600. No matter what I do to the anon_umask it stays the same. Does anyone have any idea how to change this and make it upload a file with different permissions?

i am using Fedora Core 3 and installed VSFTPD, but when i try to check my FTP server i always get 500 OOPS: Could not bind listening IPv4 socket. I have followed the steps to setup VSFTPD but still i got this error, What could be my problem?

Check your vsftpd.conf file. If the command "listen=YES" is not commented out, then comment it out. For some reason, the example file seems to enable it by default. When enabled, it can only run in the "stand-alone" mode, not from xinetd.

I had the same problem. Dont know why, the ipconfig-firewall closed port 20 & 21 to the inner systen. (SUSE 9.2 prof) Guard from inner system (or how it is called like in English) is NOT activated.

Solution: Do NOT open the ports 20 & 21 in the experts-firewall-settings. Does not work.
You have to type there "ftp" - and make your vsftpd listen to your inner system only (if you want it to), using listen_at=(IP) in standalone-mode.

My FTP root was not readable, so vsftpd would start, but I couldn't get it to allow anonymous uploads, no matter what I did. I looked for hours for the answer! Why is it not spelled out a little more clearly in the docs?? Why do you have to look at an Oracle Manual to find an obvious VSFTPD config issue??

Markus, you have HUGE props in my book for putting that info down...too bad it took a few hours of goolge, change config, get frustrated, repeat before I came across this post.

I think I'll drop by vsftpdrocks.org and relay this info. Thanks again.

Gah! I am also trying to get anonymous to be able to write. I have got this working on one fedora8 box, but on another fedora8 I cannot get it to allow me to write, the clues on the non-working machine are :